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Excluded Summary of measure(s), including any impact data where available 
Category 
Measures We have produced guidance documents for business to explain the requirements 
certified as of the new EU General Data Protection Regulation (GDPR) and the Data 
being below de | Protection Act 2018 (DPA 2018): 
minimis 
(measures with : . : 
an EANDCB ° E 
below +/- £5 ° 12 steps for preparing for the LED 
million) ° Guide to the Law Enforcement Provisions 
° Guide to the GDPR 
° Detailed documentation guidance 
e Guide to the Data Protection Fee 
° Introduction to the DP Bill 
e Detailed legitimate interests guidance 
° Lawful basis interactive guidance tool 
° Consent 
° Detailed right to be informed guidance 
° Detailed guidance on automated decision making and profiling 
° Detailed guidance on DPIAs 
e Detailed guidance on Children 
° Education sector FAQs 
° Hospitality FAQs 
° Small retailers FAQs 
° Small financial service FAQs 
° Data Protection self-assessments 
° 8 steps for micro businesses 
We have also produced guidance on the Network and Information Systems 
Regulations 2018 (NIS) and the eIDAS Regulation (eIDAS): 
e Guide to Nis 
e Guide to elDAS 
While it is possible to calculate the cost to business of reading our guidance 
documents in terms of reading time (and we did this for the 2015-2017 
submission), it is not possible to monetise the direct benefit to business of 
reading our guidance. As reading the guidance is voluntary, we consider that it is 
reasonable to expect that business will therefore read it only where it leads to 
net benefits; the analysis therefore assumes that the benefits are at least equal to 
the costs. The Regulatory Policy Committee (RPC) approved this approach in the 
ICO’s submission for 2015 — 2017. All of these guidance documents will therefore 
be exempted as their EANDCB is less than £5 million. 
EU and We have produced guidance documents for business to explain the requirements 


International 


of the GDPR, DPA 2018, NIS and eIDAS which are excluded as they fall into the de 
minimis exclusion category. 


Excluded 


Summary of measure(s), including any impact data where available 


Category 
None of the changes of European origin place additional burdens on business 
beyond those required under legislation of EU origin ie no gold plating has 
occurred. 

Economic Following consideration of the exclusion category there are no measures for the 

regulation reporting period that qualify for the exclusion. 


Price Control 


Following consideration of the exclusion category there are no measures for the 
reporting period that qualify for the exclusion. 


Civil Following consideration of the exclusion category there are no measures for the 
Emergencies reporting period that qualify for the exclusion. 

Fine and Following consideration of the exclusion category there are no measures for the 
Penalties reporting period that qualify for the exclusion. 

Pro- Following consideration of the exclusion category there are no measures for the 
Competition reporting period that qualify for the exclusion. 

Large Following consideration of the exclusion category there are no measures for the 
Infrastructure reporting period that qualify for the exclusion. 

projects 

Misuse of Following consideration of the exclusion category there are no measures for the 
Drugs/National | reporting period that qualify for the exclusion. 

Minimum Wage 

Systematic Following consideration of the exclusion category there are no measures for the 


Financial Risk 
Industry Codes 


reporting period that qualify for the exclusion. 
Following consideration of the exclusion category there are no measures for the 
reporting period that qualify for the exclusion. 


Casework 


No activities listed in this section represent a change in the burden of regulation 
placed on business, except where these result from a separate qualifying 
regulatory provision that has been assessed. 


Our regulatory activities which can be classed as ‘casework’ include requests for 
assessment under section 42 of the Data Protection Act 1998, enforcement work, 
audits and a helpline and written enquiries service. In November 2017, we set up 
a new helpline for SME’s. From 25 May 2018, the ICO has equivalent functions 
under the GDPR. 


In the period 8 June 2017 to 14 June 2018, the numbers of these relating to 
businesses were as follows: 


Enquiries: 10685 
Requests for assessment: 10413 
Enforcement work: 343 
Audits: 
e Full Audits: 28 


e Follow ups: 18 

e Undertaking follow ups: 4 

e Information risk reviews: 36 
e Advisory visits: 64 


From 1 November 2017 — 31 March 2018, we received an average of 1,278 calls 


Excluded 
Category 


Summary of measure(s), including any impact data where available 


each week to the SME helpline. 


Education, 
communication 
s and promotion 


During this period we have published a number of webinars, podcasts and 
conference recordings on data protection matters. We consider that these fall 
within the category of education, communications and promotion, since they are 
intended to raise awareness of DP issues and provide a record of our events, 
rather than to impose any obligation or requirement on businesses. These 
resources are as follows: 


e Videos available on the ICO’s YouTube channel: 
Oo GDPR for the boardroom 
Data Protection for small healthcare organisations 
The ICO’s new advice line for SMEs 
Use our new advice line for SMEs 
Elizabeth Denham’s keynote speech video 
Getting ready for the new UK data protection law — Eight 
practical steps 
O Information Commissioner on the opportunities GDPR will bring 
for businesses and organisations 
O Information Commissioner on how the GDPR will help you to 
control your personal data 
O Anintroduction to Your Data Matters 
o ICO layered privacy notice 
e The ICO Podcast: 
O Episode 1: Answering your questions about GDPR myths 
O Episode 2: Answering questions about Data Protection Impact 
Assessments 
O DPPC podcast extra: What are the wider cultural challenges 
facing local government around information sharing and the 
GDPR? 
O Episode 3: Answering questions about Lawful Basis 


O OOOO 


We hold an annual conference for data protection practitioners (the DPPC) each 
Spring which is attended by a cross section of businesses, and we also organise 
other awareness-raising events relevant to business. The DPPC was held in April 
2018. 


e Personal data breach resources — from the DPPC 
e Lawful basis resources — from the DPPC 


None of the material produced creates a new regulatory standard that businesses 
are expected to follow and attendance at educational events is voluntary. 


Activity related 
to policy 
development 


In the reporting period, we carried out a number of consultations on GDPR 


guidance, as listed below: 


Excluded 


Summary of measure(s), including any impact data where available 


Category 

e Data Protection Impact Assessments (DPIAs) guidance 

e Children and the GDPR guidance 

e Contracts and liabilities between controllers and processors guidance 
Changes to Following Elizabeth Denham’s appointment as Information Commissioner in July 
management of | 2016, she has built a Senior Leadership Team comprising the Deputy Chief 
regulator Executive, the General Legal Counsel and Deputy Commissioners for Operations 


and Policy. 


There has also been further reorganisation within departments, and the ICO is 
implementing an internal Change Programme in order to prepare for our 
responsibilities as the Data Protection Authority under the GDPR. These are 
internal arrangements and do not impose any obligations or costs on business. 


